

PROTOCOL FOR MANAGING AND  
A METHOD FOR TRANSFORMING AND VERIFYING AND OF  
CONVERTING A DOWNLOADED PROGRAM FRAGMENT FRAGMENTS WITH DATA  
TYPES RESTRICTIONS AND  
CORRESPONDING SYSTEMS SYSTEM

## BACKGROUND OF THE INVENTION

**1. Field of the invention**

The invention relates to a protective process for managing, a method of verifying and a method of transforming a downloaded program fragment and the corresponding systems, more particularly intended for on-board embedded data-processing systems having few resources available in terms of with limited memory and of computing power resources.

## 2. Prior Art

In a general way, by reference to ~~figure~~Figure 1a, it is reiterated that ~~on-board~~embedded data-processing systems 10 include a microprocessor 11, a permanent memory, such as a non-writable memory 12 containing the code of the executable program, and a rewritable, nonvolatile, permanent memory ~~15~~13 of EEPROM type containing the data stored in the system, a volatile, random-access memory 14 in which the program stores its intermediate results while it is executing, and input/output devices 15 allowing the system to interact with its environment.—In When the ~~case in which the~~ ~~on-board~~embedded data-processing system consists of a microprocessor card, of the bank-card type, the input/output device 15 consists of a serial link allowing the card to communicate with a terminal, such as a card-reader terminal.

In conventional on boardembedded data-processing systems, the code of the program executed by the system is fixed during construction of the system, or, at the latest, when the latter is customized before delivery to the final user.

1 More sophisticated ~~on-board~~embedded data-processing systems have, however, been  
2 implemented, these systems being reprogrammable, such as microprocessor cards of the  
3 ~~JavaCard~~JAVACARD type, for example. ~~With respect Compared~~ to the ~~preceding~~earlier types,  
4 these reprogrammable systems add the possibility of enhancing the program after the system has  
5 been put into service, via an operation of downloading program fragments. These program  
6 ~~fragments of programs, widely designated by, commonly known as~~ “applets”, will be  
7 ~~designated~~referred to as applets or program fragments indiscriminately in the present description.  
8 For a more detailed description of ~~JavaCard~~JAVACARD systems, reference could usefully be  
9 made to the documentation published by the company SUN MICROSYSTEMS INC., and in  
10 particular to the electronically available documentation, ~~JavaCard~~JAVACARD technology  
11 chapter, on the ~~www~~—(World Wide Web) at site <http://java.sun.com/products/javacard/index.html>, available since June 1999.

13 ~~figure~~Figure 1b illustrates the architecture of such a reprogrammable ~~on-board~~embedded  
14 data-processing system. This architecture is similar to that of a conventional ~~on-board~~embedded  
15 system, ~~with apart from~~ fact that the reprogrammable ~~on-board~~embedded system  
16 can ~~moreover~~in addition receive applets ~~by way of~~via one of its input/output devices, then store  
17 them in its permanent memory 13 from which they can then be executed as a ~~supplement~~  
18 ~~to~~complementing the main program.

19 For reasons of portability between different ~~on-board~~embedded data-processing systems,  
20 applets ~~are presented in~~take the form of code for a standard virtual machine. This code is not  
21 directly executable by the microprocessor 11, but it has to be interpreted in software terms by a  
22 virtual machine 16, which consists of a program resident in a non-writable permanent memory  
23 12. In the abovementioned example of ~~JavaCard~~JAVACARD cards, the virtual machine used is

1 a subset of the JavaJAVA virtual machine. For a description of the specifications relating to the  
2 JavaJAVA virtual machine and of the virtual machine used, reference could usefully be made to  
3 the work published by Tim LINDHOLM and Frank YELLIN, entitled "The Java Virtual Machine  
4 Specification", Addison-Wesley 1996, and to the documentation published by the company SUN  
5 MICROSYSTEMS INC. "JavaCardJAVACARD 2.1 Virtual Machine Specification",  
6 documentation available electronically on the wwwWorld Wide Web at site  
7 <http://java.sun.com/products/javacard/JCVMspec.pdf>, since March 1999.

8 The operation of downloading applets onto an on-boardembedded data-processing system  
9 in service poses considerable security problems. An applet which is involuntarilyunintentionally,  
10 or even deliberately, badly written may incorrectly modify data present on the system, prevent the  
11 main program from executingbeing executed correctly or at the right time, or elseeven modify  
12 other applets downloaded previously, making them unusable or harmful.

13 An applet written by a computer hacker may also divulge confidential information stored  
14 in the system, information such as the access code in the case of a bank card, for example.

15 At the present time, three solutions have been proposed with a view to remedying the  
16 problem of applet security-of applets.

17 A first solution consists in using cryptographic signatures, so as in order to accept only  
18 applets originating from trusted bodiesorganizations or persons.

19 In the abovementioned example of a bank card, only the applets bearing the cryptographic  
20 signature of the bank having issued the card are accepted and executed by the card, any other  
21 unsigned applet being rejected in the course of the downloading operation. An ill-intentioned  
22 user of the card, not having available encryption keys from the bank, will therefore be ineapable  
23 of executingunable to execute an unsigned and dangerous applet on the card.

1        This first solution is well adaptedsuited to the case where all the applets originate from  
2        the same single source, the bank in the abovementioned example. This solution is difficult to  
3        apply in the case ~~in which~~where the applets originate from several sources, such as, in the  
4        example of a bank card, the ~~card~~ manufacturer ~~of the card~~, the bank, the ~~bodies~~organizations  
5        managing ~~services~~by bank card services, the large commercial distribution organizations  
6        offering ~~clientele~~customers loyalty programs and ~~proposing~~legitimately~~;~~offering to download  
7        specific applets onto the card. The sharing and the holding among these various economic  
8        participants of the encryption keys necessary for the electronic signature of the applets pose  
9        major technical, economic and legal problems.

10        A second solution consists in carrying out dynamic ~~checks~~on-access and ~~on~~typing ~~during~~while  
11        ~~the execution of~~checks while executing the applets.

12        In this solution, the virtual machine carries out a certain number of checks, ~~during the~~while  
13        ~~execution of~~executing the applets, such as:

- 14        • ~~check of~~memory access ~~to the~~memory~~check~~: upon each read or write in a memory  
15        area, the virtual machine verifies the right of access by the applet to the corresponding data;
- 16        • dynamic verification of the data types: upon each instruction from the applet, the  
17        virtual machine verifies that the constraints on the data types are satisfied. By way of example,  
18        the virtual machine may ~~have~~apply special ~~handling for~~processing to data such as valid memory  
19        addresses, and prevent the applet generating invalid memory addresses by way of integer/address  
20        conversions or arithmetic operations on the addresses;
- 21        • detection of stack overflows and of illegal accesses to the execution stack of the  
22        virtual machine, which, under certain conditions, are likely to disturb the operation thereof, to the  
23        point of circumventing the preceding check mechanisms.

1        This second solution allows execution of a wide range of applets under satisfactory  
2        security conditions. However, it ~~feature~~represents the drawback of a considerable slowing of the  
3        execution, caused by the range of dynamic verifications. In order to obtain a reduction in this  
4        slowing ~~effect~~, some of these verifications can be ~~taken charge of~~managed by the microprocessor  
5        itself, at the cost, however, of an increase in the complexity thereof and thus of the cost price of  
6        the ~~on-board~~embedded system. Such verifications furthermore increase the ~~requirements for~~  
7        random-access and permanent memory ~~requirements of~~ the system, ~~by reason~~because of the  
8        additional type information which ~~it is necessary to associate~~must be associated with the data  
9        handled.

10       A third solution consists in carrying out a static verification of the code of the applet  
11       during the downloading.

12       In this solution, this static verification simulates the execution of the applet at the level of  
13       the data types and establishes, once and for all, that the code of the applet complies with the rule  
14       of data types and of access control imposed by the virtual machine and does not cause a stack  
15       overflow. If this static verification is successful, the applet can then be executed without it being  
16       necessary dynamically to verify that this rule is complied with. In the event that the static  
17       verification process fails, the ~~on-board~~embedded system rejects the “applet” and does not allow  
18       its subsequent execution. For a more detailed description of the abovementioned third solution,  
19       reference could usefully be made to the work published by Tim LINDHOLM and Frank YELLIN  
20       quoted above, to the article published by James A. GOSLING entitled “Java Intermediate Byte  
21       Codes”, proceedings of the ACM SIGPLAN, Workshop on Intermediate Representations  
22       (IR’95), pages 111-118, January 1995, and to the US patent 5,748,964 granted on 05/05/1998.

1                   Compared with the second solution, the third solution presents the advantage of a much  
2                   more rapid execution of the applets, since the virtual machine does not carry out any verification  
3                   during execution.

4                   The third solution, however, ~~features~~<sup>presents</sup> the drawback of a process of static  
5                   verification of the code which is complex and expensive, both in terms of size of code necessary  
6                   to conduct this process and in terms of size of random-access memory necessary to contain the  
7                   intermediate results of the verification, and in terms of computation time. By way of illustrative  
8                   example, the code verification ~~integrated into~~<sup>incorporated in</sup> the ~~Java~~<sup>JAVA</sup> JDK system  
9                   marketed by SUN MICROSYSTEMS represents about 50 ~~bytes~~<sup>bytes</sup> of machine code, and its  
10                  consumption in terms of random-access memory is proportional to  $(T_p + T_r) \times N_b$ , where  $T_p$   
11                  designates the maximum stack space,  $T_r$  designates the maximum number of registers and  $N_p N_b$   
12                  designates the maximum number of ~~branching~~<sup>branch</sup> targets used by a ~~subprogram~~<sup>subroutine</sup>,  
13                  also ~~widely designated by~~<sup>commonly called</sup> method, of the applet. These memory requirements  
14                  greatly ~~exceeded~~<sup>exceed</sup> the capacities of the resources of ~~the majority of the~~<sup>most</sup> present-day on-  
15                  board~~embedded~~<sup>embedded</sup> data-processing systems, especially of commercially available microprocessor  
16                  cards.

17                  Several variants of the third solution have been proposed, in which the ~~writer~~<sup>publisher</sup> of  
18                  the applet sends to the verifier, in addition to the code of the applet, a certain amount of specific  
19                  supplementary information such as precalculated data types or preestablished proof of correct  
20                  data typing. For a more detailed description of the corresponding ~~operating modes~~<sup>procedures</sup>,  
21                  reference could usefully be made to the articles published by Eva ROSE and Kristoffer  
22                  HØGSBRO~~HØGSBRO~~ ROSE, "Lightweight Bytecode Verification", proceedings of the  
23                  Workshop on Formal Underspinning of ~~Java~~<sup>JAVA</sup>, October 1998, and by George C. NECULA,

1 "Proof-Carrying Code", Proceedings of the 24th ACM Symposium on Principles of  
2 Programming Languages, pages 106-119, respectively.

3 This supplementary information makes it possible to verify the code more rapidly and  
4 slightly to reduce the size of the ~~code of the~~ verification program code but does not make it  
5 possible, however, to reduce the requirements for random-access memory, ~~or~~and even increases  
6 them, very substantially, in the case of the correct-data-typing preestablished-proof information.

7 SUMMARY OF THE INVENTION

8 The object of the present invention is to remedy the abovementioned drawbacks of the  
9 prior art.

10 In particular, one subject of the present invention is the implementation of a  
11 ~~protocol~~process for managing a downloaded program fragment, or applet, allowing execution of  
12 the latter by an on-boardembedded data-processing system having ~~few~~limited resources  
13 available, such as a microprocessor card.

14 Another subject of the present invention is also the implementation of a method of  
15 verifying a downloaded program fragment, or applet, in which a process of static verification of  
16 the code of the applet is conducted when it is downloaded, this process possibly being  
17 ~~aligned~~similar, at least in its principle, ~~with~~to the third solution described above, but ~~in~~into which  
18 new verification techniques are introduced, so as to allow execution of this verification within  
19 the ~~limits of values of~~ memory size and ~~of~~ computation speed value limits imposed by the  
20 microprocessor cards and other low-power on-boardembedded data-processing systems.

21 Another subject of the present invention is also the implementation of methods of  
22 transforming program fragments of conventional type obtained, for example, by the use of a  
23 JavaJAVA compiler ~~on~~into standardized program fragments, or applets, satisfying, a priori, the

1 verification criteria of the verification method which is the subject of the invention, with a view  
2 to accelerating the process of verifying and executing ~~them at the level of latter~~ in present-day  
3 microprocessor cards or ~~on-board~~embedded data-processing systems.

4 Another subject of the present invention is, finally, the production of ~~on-board~~embedded  
5 data-processing systems ~~allowing enabling the~~ implementation of the abovementioned  
6 ~~protocol process~~ for managing and ~~of the abovementioned~~ method of verifying a downloaded  
7 program fragment as well as of data-processing systems ~~allowing enabling the~~ implementation of  
8 the methods of transforming conventional program fragments, or applets, into standardized  
9 program fragments, or applets, as mentioned above.

10 The ~~protocol process~~ for managing a downloaded program fragment ~~and downloaded to~~ a  
11 reprogrammable ~~on-board~~embedded system, which is the subject of the present invention, applies  
12 especially to a microprocessor card ~~equipped~~provided with a rewritable memory. The program  
13 fragment consists of an object code, a series of instructions, executable by the microprocessor of  
14 the ~~on-board~~embedded system by ~~way means~~ of a virtual machine ~~equipped~~provided with an  
15 execution stack and with local variables or registers manipulated ~~via~~ by these instructions and  
16 ~~making it possible used~~ to interpret this object code. The ~~on-board~~embedded system is  
17 interconnected ~~to with~~ a terminal.

18 It is noteworthy in that it consists at least, at the level of the ~~on-board~~embedded system, in  
19 detecting a command for downloading ~~of~~ the program fragment. On a positive response to the  
20 ~~stage step~~ consisting in detecting a ~~downloading~~download command, it further consists in reading  
21 the object code constituting the program fragment and in temporarily storing this object code in  
22 the rewritable memory. The whole of the object code stored in memory is subjected to a  
23 verification process, instruction by instruction. The verification process consists at least in a

1        ~~stage of step~~ for initializing the type stack and the ~~table of register type~~ type array representing  
2        the state of the virtual machine at the start of the execution of the temporarily stored object code  
3        and in a succession of ~~stages of verification~~ steps for verifying, instruction by instruction, of the  
4        existence, for each current instruction, of a target, ~~branching~~ branch-instruction target, target of an  
5        exception handler, and in a verification and an updating of the effect of the current instruction on  
6        the type stack and on the ~~table of register types~~ type array. In the event of an unsuccessful  
7        verification of the object code, the ~~protocol~~ process which is the subject, of the invention consists  
8        in deleting the ~~momentarily recorded~~ temporarily stored program fragment, ~~when omitting to~~  
9        ~~record if the latter is not stored~~ in the directory of available program fragments, and in sending an  
10      error code to the reader.

11        The method of verifying a program fragment downloaded ~~onto~~ to an ~~on board~~ embedded  
12      system, which is the subject of the invention, applies especially in particular to a microprocessor  
13      card equipped with a rewritable memory. The program fragment consists of an object code and  
14      includes at least one ~~subprogram~~ subroutine, a series of instructions, executable by the  
15      microprocessor of the ~~on board~~ embedded system by ~~way~~ means of a virtual machine  
16      ~~equipped~~ provided with an execution stack and with operand registers manipulated by these  
17      instructions, and ~~making it possible~~ used to interpret this object code. The ~~on board~~ embedded  
18      system is interconnected ~~to~~ with a reader.

19        It is noteworthy in that, following the detection of a ~~downloading~~ download command and  
20      the storage of the object code constituting the program fragment in the rewritable memory, it  
21      consists, for each ~~subprogram~~ subroutine, in carrying out a ~~stage of step~~ for initializing the type  
22      stack and the ~~table of register type~~ type array by data representing the state of the virtual machine  
23      at the start of the execution of the temporarily stored object code, in carrying out a verification of

1 the temporarily stored object code instruction by instruction, by discerning the existence, for each  
2 current instruction, of: a branchingbranch-instruction target, of a target of an exception-handler  
3 call or of a target of a subroutine call, and in carrying out a verification and an updating of the  
4 effect of the current instruction on the data types of the type stack and of the table-of-register  
5 typestype array, on the basis of the existence of a branchingbranch-instruction target, of a target  
6 of a subroutine call or of a target of an exception-handler call. The verification is successful  
7 when the table-of-register typestype array is not modified in the course of a verification of all the  
8 instructions, the verification process being carried out instruction by instruction until the table-of  
9 register typestype array is stable, with no modification present. Otherwise the verification  
10 process is interrupted.

11 The method of transforming an object code of a program fragment into a standardized  
12 object code for this same program fragment, which is the subject of the present invention, applies  
13 to an object code of a program fragment in which the operands of each instruction belong to the  
14 data types manipulated by this instruction, the execution stack does not exhibit any overflow  
15 phenomenon and, for each branchingbranch instruction, the type of the variables of the stack at  
16 this branchingbranch is the same as at the targets of this branching-branch. The standardized  
17 object code obtained is such that the operands of each instruction belong to the data types  
18 manipulated by this instruction, the execution stack does not exhibit any overflow phenomenon  
19 and the execution stack is empty at each branchingbranch-target instruction.

20 It is noteworthy in that it consists, for all the instructions of the object code, in annotating  
21 each current instruction with the data type of the execution stack before and after the execution of  
22 this instruction, the annotation data being calculated by means of an analysis of the data stream  
23 relating to this instruction, in detecting, within the instructions and within each current

1 instruction, the existence of ~~branchings~~branches for which the execution stack is not empty, the  
2 detection operation being carried out on the basis of the annotation data of the type of stack  
3 variables allocated to each current instruction.—~~In the presence of a~~ On detection of a non-empty  
4 execution stack, it further consists in inserting instructions to transfer stack variables on either  
5 side of these ~~branchings~~branches or of these ~~branching~~branch targets in order to empty the  
6 contents of the execution stack into temporary registers before this ~~branching~~branch and to  
7 reestablish the execution stack from the temporary registers after this ~~branching~~branch, and in not  
8 inserting any transfer instruction otherwise.

9 This method thus makes it possible to obtain a standardized object code for this same  
10 program fragment, in which the execution stack is empty at each ~~branching~~branch instruction and  
11 ~~branching~~branch-target instruction, in the absence of any modification ~~to~~of the execution of the  
12 program fragment.

13 The method of transforming an object code of a program fragment into a standardized  
14 object code for this same program fragment, which is the subject of the present invention,  
15 applies, moreover, to an object code of a program fragment in which the operands of each  
16 instruction belong to the data types manipulated by this instruction, and a operand of given type  
17 written into a register by an instruction of this object code is ~~read~~read back from this same  
18 register by another instruction of this object code with the same given data type. The  
19 standardized object code obtained is such that the operands belong to the data types manipulated  
20 by this instruction, one and the same data type being allocated to the same register throughout the  
21 standardized object code.

22 It is noteworthy in that it consists, for all the instructions of the object code, in annotating  
23 each current instruction with the data type of the registers before and after the execution of this

1 instruction, the annotation data being calculated by means of an analysis of the data stream  
2 relating to this instruction, and in carrying out a reallocation of the original registers employed  
3 with different types, by dividing these original registers into separate standardized registers. One  
4 standardized register is allocated to each data type used.—Reupdating A reupdating of the  
5 instructions which manipulate the operands which use the standardized registers is carried out.

6 The protocolprocess for managing a program fragment, the method of verifying a  
7 program fragment, the methods of transforming object code of program fragments into  
8 standardized object code and the corresponding systems, which are the subjects of the present  
9 invention, find ~~an~~ application in the development of reprogrammable ~~onboard~~embedded systems,  
10 such as microprocessor cards, especially in the Java environment.

#### 11 BRIEF DESCRIPTION OF THE DRAWINGS

12 They will be better understood on reading the description and on perusing the drawings  
13 below, ~~in which, other than figures 1a and 1b relating to the prior art:~~

14 Figure 1a represents the architecture of a prior art embedded system.

15 Figure 1b represents the architecture of a prior art reprogrammable embedded system.

16 - Figure 2 represents a flow chart illustrating the protocolprocess for managing a  
17 program fragment downloaded ~~onto~~to a reprogrammable ~~on-board~~embedded system,

18 Figure 3a represents, by way of illustration, a flow chart of a method of verifying, a  
19 downloaded program fragment in accordance with the subject of the present invention,

20 Figure 3b represents a diagram illustrating data types and sub-typing relationships  
21 implemented by the method of managing and the method of verifying a downloaded program  
22 fragment, which is the subject of the present invention,

1           Figure 3c represents a detail of the verification method as claimed in figure according to

2           Figure 3a, relating to the managing of a branchingbranch instruction,

3           Figure 3d represents a detail of the verification method as claimed in figure according to

4           Figure 3a, relating to the managing of a subroutine-call instruction,

5           Figure 3e represents a detail of the verification method as claimed in figure according to

6           Figure 3a, relating to the managing of an exception-handler target,

7           Figure 3f represents a detail of the verification method as claimed in figure according to

8           Figure 3a, relating to the managing of a target of incompatible branchingsbranches,

9           Figure 3g represents a detail of the verification method as claimed in figure according to

10           Figure 3a, relating to the managing of an absence of branchingbranch target,

11           Figure 3h represents a detail of the verification method as claimed in figure according to

12           Figure 3a, relating to the managing of the effect of the current instruction on the type stack,

13           Figure 3i represents a detail of the verification method as claimed in figure according to

14           Figure 3a, relating to the managing of an a register read instruction for reading a register,

15           Figure 3j represents a detail of the verification method as claimed in figure according to

16           Figure 3a, relating to the managing of an a register write instruction for writing to a register,

17           Figure 4a represents a flow chart illustrating a method of transforming an object code of a

18           program fragment into a standardized object code for this same program fragment with a

19           branchingbranch instruction, respectively a branchingbranch-target instruction, with an empty

20           stack,

21           Figure 4b represents a flow chart illustrating a method of transforming an object code of a

22           program fragment into a standardized object code for this same program fragment, making use of

23           typed registers, a single specific data type being attributed assigned to each register,

1                   Figure 5a represents a detail of implementation of the transformation method illustrated  
2                   in ~~figure~~Figure 4a,

3                   Figure 5b represents a detail of implementation of the transformation method illustrated  
4                   in ~~figure~~Figure 4b,

5                   Figure 6 represents a functional diagram of the complete architecture of a system for  
6                   ~~development of~~developing a standardized program fragment, and of a reprogrammable  
7                   microprocessor card ~~allowing implementation of the protocol used to implement the process~~ for  
8                   managing and the method of verifying a program fragment in accordance with the subject of the  
9                   present invention.

10                   DESCRIPTION OF THE PREFERRED EMBODIMENTS

11                   In general, it is indicated that the ~~protocol~~process for managing and the method of  
12                   verifying and transforming a downloaded program fragment, which is the subject of the present  
13                   invention, and the corresponding systems, are implemented ~~thanks to~~using a software  
14                   architecture for the secure downloading and execution of applets on an ~~on-board~~embedded data-  
15                   processing system with ~~few~~limited resources, such as, in particular, microprocessor cards.

16                   In general, it is indicated that the description below concerns the application of the  
17                   invention in the context of reprogrammable microprocessor cards of JavaCardJAVACARD type,  
18                   cf. documentation available electronically from the company SUN MICROSYSTEMS INC.,  
19                   JavaCardJAVACARD Technology heading mentioned previously in the description.

20                   However, the present invention is applicable to any ~~on-board~~embedded system which is  
21                   reprogrammable by downloading an applet which is written in the code of a virtual machine  
22                   including an execution stack, local variables or registers, and of which the execution model is  
23                   strongly typed, each instruction of the code of the applet ~~applying~~being applied only to specific

1 data types. The protocolprocess for managing a program fragment downloaded ~~onto~~ to a  
2 reprogrammable ~~on-board~~embedded system, which is the subject of the present invention, will  
3 now be described in more detail with reference to ~~fig~~Fig. 2.

4 With reference to the abovementioned figure, it is indicated that the object code which  
5 makes up the program fragment or applet consists of a series of instructions which can be  
6 executed by the microprocessor of the ~~on-board~~embedded system by means of the  
7 abovementioned virtual machine. The virtual machine ~~makes it possible~~is used to interpret the  
8 abovementioned object code. The ~~on-board~~embedded system is interconnected ~~to~~with a terminal  
9 via, for instance, a serial link.

10 With reference to the abovementioned ~~fig~~Fig. 2, the management protocolprocess which  
11 is the subject of the present invention consists at least, in the ~~on-board~~embedded system, in  
12 detecting a command to download this program fragment in a ~~stage~~100step 100a, 100100b.  
13 Thus, ~~stage~~100step 100a may consist of a ~~stage~~ofstep for reading the abovementioned command,  
14 and ~~stage~~100step 100b may consist of a ~~stage~~ofstep for testing the command which has been  
15 read and verifying the existence of a ~~downloading~~download command.

16 On a positive response to the abovementioned ~~stage~~100step 100a, 100100b ~~eff~~ for detecting  
17 a ~~downloading~~download command, the protocolprocess which is the subject of the present  
18 invention ~~subsequently~~then consists in reading, at ~~stage~~step 101, the object code which makes up  
19 the relevant program fragment, and temporarily storing the abovementioned object code in the  
20 memory of the ~~on-board~~embedded data-processing system. The abovementioned temporary  
21 ~~storage~~storage operation can be executed either in the rewritable memory or, if appropriate, in the  
22 random-access memory of the ~~on-board~~embedded system, when ~~this~~the latter has sufficient

1 capacity. The stage of step for reading the object code and temporarily storing it in the rewritable  
2 memory is designated as loading the code of the load applet code in Fig. 2.

3 The abovementioned stage step is then followed by a stage step 102 consisting in  
4 submitting the whole of the temporarily stored object code to a process of verification,  
5 instruction by instruction, of the abovementioned object code.

6 The verification process consists, at least in a stage of step for initializing the type stack of  
7 types and the table of data type type array representing the state of the virtual machine at the start  
8 of execution of the temporarily stored object code, and in a succession of stages of steps for  
9 verifying, instruction by instruction, by discerning the existence, for each current instruction,  
10 designated  $I_i$ , of a target such as a branching branch-instruction target designated CIS, a target  
11 of CIB, an exception-handler call target or a target of a subroutine call. A verification and  
12 updateupdating of the effect of the current instruction  $I_i$  on the type stack of types and on the  
13 table of register type type array is carried out.

14 When the verification has been<sup>103</sup> is successful at stage step 103a, the protocol process  
15 which is the subject of the present invention consists in recordingstoring, at stage step 104, the  
16 downloaded program fragment in a directory of available program fragments, and in sending to  
17 the reader, at stage step 105, a positive reception acknowledgment.

18 On the other hand, in the case of unsuccessful verification of the object code at stage step  
19 103b, the protocol process which is the subject of the present invention consists in inhibiting, in a  
20 stage step 103c, any execution on the on board embedded system of the momentarily  
21 recordedtemporarily stored program fragment. The inhibition stage step 103c can be  
22 implemented in various ways. As a nonlimiting example, this stage step can consist in deleting,  
23 at stage step 106, the momentarily recordedtemporarily stored program fragment, without

1 ~~recording~~storing this program fragment in the directory of available program fragments and, at  
2 ~~stage~~step 107, in sending an error code to the reader.—~~Stages~~Steps 107 and 105 can be  
3 implemented either sequentially after ~~stages~~steps 106 and 104 respectively, or in multitasking  
4 operation with them.

5 With reference to the same ~~fig~~Fig. 2, on a negative response to the ~~stage~~step consisting in  
6 detecting a ~~downloading~~download command at ~~stage~~step 100b, the ~~protocol~~process which is  
7 the subject of the present invention consists in detecting, in a ~~stage~~step 108, a command to select  
8 an available program fragment from a directory of program fragments and, on a positive response  
9 to ~~stage~~step 108, having detected the selection of an available program fragment, in calling, at  
10 ~~stage~~step 109, this selected available program fragment in order to execute it.—~~Stage~~Step 109 is  
11 then followed by a ~~stage~~step 110 ~~effor~~ for executing the called available program fragment by  
12 ~~way~~means of the virtual machine, with no dynamic verification of variable types, rights of access  
13 to the objects which are manipulated by the called available program fragment, or overflow of  
14 the execution stack when each instruction is executed.

15 In the case where a negative response is obtained at ~~stage~~step 108, this ~~stage~~step  
16 consisting in detecting a command to select a called available program fragment, the  
17 ~~protocol~~process which is the subject of the present invention consists in proceeding, ~~in~~at a  
18 ~~stage~~step 111, to process the standard commands of the ~~on-board~~embedded system.

19 Regarding the absence of dynamic verification of type or rights of access to objects of, for  
20 instance, ~~JavaCard~~JAVACARD type, it is indicated that this absence of verification does not  
21 compromise the security of the card, because the code of the applet has necessarily successfully  
22 ~~passed~~undergone verification.

1 More specifically, it is indicated that the code verification which is carried out, ~~as claimed~~  
2 in accordance with the method which is the subject of the present invention, on the  
3 microprocessor card or ~~on-board~~embedded data-processing system is more selective than the  
4 customary verification of codes for the virtual JavaJAVA machine as described in the work  
5 entitled "The Java Virtual Machine Specification" ~~which was~~ mentioned previously in the  
6 description.

7 However, any code of the JavaJAVA virtual machine which is correct as far as the  
8 ~~traditional Java~~conventional JAVA verifier is concerned can be transformed into an equivalent  
9 code which is capable of passing successfullyundergoing the code verification which is carried  
10 out on the microprocessor card.

11 Whereas it is possible to imagine writing directly JavaJAVA codes which satisfy the  
12 ~~abovementioned~~ verification criteria mentioned previously in the context of implementing the  
13 protocolprocess which is the subject of the present invention, a noteworthy object of the latter is  
14 also the implementation of a method of automatic transformation of any standard JavaJAVA  
15 code into a standardized code for the same program fragment, necessarily satisfying the  
16 verification criteria implemented as mentioned above. The method of transformation into  
17 standardized code, and the corresponding system, will be described in detail ~~subsequently~~later in  
18 the description.

19 A more detailed description of the method of verifying a program fragment, or applet, in  
20 accordance with the subject of the present invention, will now be given with reference to ~~fig~~Fig.  
21 3a and the subsequent figures.

22 In general, it is indicated that the verification method which is the subject of the present  
23 invention can be implemented either as part of the protocolprocess for managing a program

1 fragment which is the subject of the present invention as described above with reference to  
2 ~~fig~~Fig. 2, or independently, to provide whatever verification process is judged necessary.

3 In general, it is indicated that a program fragment is made up of an object code including  
4 at least one ~~subprogram~~subroutine, more commonly ~~designated~~called a method, and is made up  
5 of a series of instructions which can be executed by the microprocessor of the ~~on-board~~embedded  
6 system ~~via~~by means of the virtual machine.

7 As shown in ~~fig~~Fig. 3a, the verification method consists, for each ~~subprogram~~subroutine,  
8 in carrying out a ~~stage~~step 200 ~~effor~~ initializing the ~~type~~ stack of ~~types~~ and the ~~table~~ of register  
9 ~~type~~type array of the virtual machine by data representing the state of this virtual machine at the  
10 start of execution of the object code which is the subject of the verification. This object code can  
11 be stored temporarily as described above with reference to implementation of the ~~protocol~~process  
12 which is the subject of the present invention.

13 The abovementioned ~~stage~~step 200 is then followed by a ~~stage~~step 200a consisting in  
14 positioning the reading of the current instruction ~~Il~~I<sub>i</sub>, index i, on the first instruction of the object  
15 code.—~~Stage~~Step 200a is followed by a ~~stage~~step 201 consisting in carrying out a verification of  
16 the abovementioned object code, instruction by instruction, by discerning the existence, for each  
17 current instruction, designated I<sub>i</sub>, of a ~~branching~~branch-instruction target ~~GIBCIB~~GIBCIB, of a target of  
18 an exception-handler call, designated CEM, or of a target of a subroutine call CSR.

19 The verification ~~stage~~step 201 is followed by a ~~stage~~step 202 ~~effor~~ verifying and updating  
20 the effect of the current instruction I<sub>i</sub> on the data types of the ~~type~~ stack of ~~types~~ and of the ~~table~~  
21 ~~of register~~type array, as a function of the existence, for the current instruction which is  
22 pointed ~~at~~to by another instruction, of a ~~branching~~branch-instruction target ~~GIBCIB~~GIBCIB, of a target  
23 of a subroutine call CSR or of a target of an exception-handler call CEM.

1           StageStep 202 for the current instruction  $I_i$  is followed by a stagestep 203 to test whether  
2           the last instruction has been reached, the test written as:

3            $I_i = \text{last instruction of the object code?}$

4           On a negative response to test 203, the process passes to the next instruction 204, written  $i = i+1$ ,  
5           and to theon return to stagestep 201.

6           It is indicated that the abovementioned verification, at stagestep 202, ~~has been is~~  
7           successful when the table of register type array is not modified during verification of all the  
8           instructions  $I_i$  which make up the object code. For this purpose, a test 205 of the existence of a  
9           stable state of the table of register types and type array is provided. This test is written:

10            $\exists? \text{ Stable state of table of register type type array.}$

11           On a positive response to test 205, the verification has been successful.

12           On the other hand, in the case where no absence of modification is noticed, the  
13           verification process is repeated and reinitiated by returning to stagestep 200a. It is demonstrated  
14           that the process is guaranteed to end after a maximum of  $Nr \times H$  iterations, where  $Nr$  designates  
15           the number of registers used and  $H$  designates a constant depending on the subtyping relation.

16           Various indications concerning the types of variables ~~which are~~ manipulated in the course  
17           of the verification process described above with reference to figFig. 3a will now be given with  
18           reference to figFig. 3b.

19           The abovementioned variable types include at least class identifiers corresponding to  
20           object classes ~~which are~~ defined in the program fragment which is subjected to verification,  
21           numeric variable types including at least a type short type, an integer coded on  $p$  bits, where the  
22           value of  $p$  can be 16, and a type for the return address of a jump instruction JSR, this address type  
23           being identified as denoted retaddr, a type null type relating to references of null objects, a type an

1 object type relating to the objects proper, a specific type  $\perp$  representing the intersection of all the  
2 types and corresponding to the value-zero nullvalue, another specific type  $T$  representing the  
3 union of all the types and corresponding to any type of values.

4 With reference to figFig. 3b, it is indicated that all the abovementioned variable types  
5 verify a subtyping relation:

6 object  $\epsilon \sqsubseteq T$ ;  
7 short, retaddr  $\epsilon \sqsubseteq T$ ;  
8  $\perp \epsilon \sqsubseteq \text{null}$ , short, retaddr

9 A more specific example of a process of verification as illustrated in fig. 3a will now be  
10 given, with reference to a first example of a data structure example, which is shown in tablearray  
11  $T_1$  in the annex.

12 The abovementioned example concerns an applet written in JavaJAVA code.

13 The verification process accesses the code of the subprogramsubroutine which forms the  
14 applet which is subjected to verification via a pointer to instruction  $I_i$  which is being verified.

15 The verification process records the size and type of the execution stack at the current  
16 instruction  $I_i$  corresponding to saload in the example of the above-mentioned  
17 Tableabovementioned Array  $T_1$ .

18 The verification process then recordsstores the size and type of the execution stack at the  
19 current instruction in the type\_stack-of types via its type stack pointer.

20 As mentioned above in the description, this type\_stack-of types reflects the state of the  
21 execution stack of the virtual machine at the current instruction  $I_i$ . In the example shown in  
22 tablearray  $T_1$ , at the time of the future execution of instruction  $I_i$ , the stack will contain three  
23 entries: a reference to an object of class  $C$ , a reference to a table of integersan integer array

1 coded on  $p = 16$  bits, the type short [ ], and an integer of  $p = 16$  bits of type short. This is also  
2 shown in the type stack, which also contains three entries: C, the type of the objects of class C,  
3 short [], the type of ~~table~~the arrays of integers  $p = 16$  bits and short, the type of integers  $p = 16$   
4 bits.

5 Another noteworthy data structure consists of ~~a table of an~~ register typetype array, this  
6 tablearray reflecting the state of the registers, that is to say of the registers which store the local  
7 variables, of the virtual machine.

8 Continuing the example indicated in tablearray T1, it is indicated that entry 0 of the table  
9 ~~of~~register typetype array contains type C, i.e. at the time of the future execution of the current  
10 instruction  $I_i = \text{saload}$ , register 0 is guaranteed to contain a reference to an object of class C.

11 The various types which are manipulated during the verification and stored in the table~~of~~  
12 register typetype array and in the type stack are represented in ~~fig~~Fig. 3b. These types include:

13 • class identifiers CB corresponding to specific object classes which are defined in the  
14 applet;

15 • basebasic types, such as short, ~~an~~ integer coded on  $p = 16$  bits, intint1 and int2, the  
16 most and least significant  $p$  bits respectively of integers coded on, e.g.,  $2p$  bits, or retaddr, the  
17 return address of an instruction as mentioned above;

18 • the type null, representing the references of null objects.

19 Regarding the subtyping relation, it is indicated that a type T1 is a subtype of a type T2 if  
20 ~~every~~any valid value of type T1 is also a valid value of type T2. The subtyping between class  
21 identifier reflects the inheritance hierarchy between classes of the applet. On the other types,  
22 subtyping is defined by the lattice shown in fig. 3b, where  $\perp$  is a subtype of all the types and all  
23 the types are subtypes of T.

1           The sequence of the process of verifying a subprogramsubroutine which forms an applet  
2        is as follows, referring to the abovementioned tablearray T1.

3           The verification process is carried out independently on each subprogramsubroutine of  
4        the applet. For each subprogramsubroutine, the process carries out one or more verification  
5        passes on the instructions of the relevant subprogramsubroutine. The pseudocode of the  
6        verification process is given in tablearray T2 in the annex.

7           The process of verifying a subprogramsubroutine begins with initializing the type stack  
8        and the tableofregister typearray shown in tablearray T1, this initialization reflecting the  
9        state of the virtual machine at the start of execution of the subprogramsubroutine being  
10       examined.

11       The type stack is initially empty, the stack pointer equals zero, and the register types are  
12       initialized with the types of the parameters of the subprogramsubroutine, illustrating the fact that  
13       the virtual machine passes the parameters of this subprogramsubroutine in these registers. The  
14       register types ~~which are~~ allocated by the subprogramsubroutine are initialized to data types  $\perp$ ,  
15       illustrating the fact that the virtual machine initializes these registers to zero at the start of  
16       execution of the subprogramsubroutine.

17       Next, one or more verification passes on the instructions and on each current instruction  $I_i$   
18       of the subprogramsubroutine are carried out.

19       At the end of the implemented verification pass, or of a succession of passes for  
20       ~~instance~~example, the verification process determines whether the register types contained in the  
21       tableofregister typesshownintabletypearrayrepresentedinarray T1 of the annex have changed  
22       during the verification pass. In the absence of change, verification is terminated and a success

1 code is returned to the main program, which makes it possible to send the positive reception  
2 acknowledgment at stagestep 105 of the management protocolprocess shown in figFig. 2.

3 If a change to the abovementioned table of register typetype array is present, the  
4 verification process repeats the verification pass until the register types contained in the table of  
5 register typetype array are stable.

6 The sequence proper of a verification pass which is carried out one or more times until  
7 the table of register typetype array is stable will now be described with reference to figsFigs. 3c  
8 to 3j.

9 For each current instruction  $I_i$ , the following verifications are carried out:

10 With reference to figFig. 3a at stagestep 201, the verification process determines whether  
11 the current instruction  $I_i$  is the target of a branchingbranch instruction, a subroutine call or an  
12 exception-handler call, as mentioned above. This verification is carried out by examining the  
13 branchingbranch instructions in the code of the subprogramsubroutine and the- exception  
14 handlers associated with this subprogramsubroutine.

15 With reference to figFig. 3c which begins with stagestep 201, when the current  
16 instruction  $I_i$  is the target of a branchingbranch instruction, this condition being implemented by a  
17 test 300 designated by  $I_i = CIB$ , this branchingbranch being unconditional or conditional, the  
18 verification process checks that the type stack is empty at this point of the subprogramsubroutine  
19 by a test 301. On a positive response to the test 301, the verification process is continued by a  
20 context continuation stagestep marked continue A. On a negative response to the test 301, the  
21 type stack not being empty, the verification fails and the applet is rejected. This failure is  
22 represented by the Failure stagestep.

1       With reference to ~~fig~~Fig. 3d which begins with the continue A stagestep, when the current  
2       instruction  $I_i$  is the target of a subroutine call, this condition being implemented by a test 304  $I_i =$   
3       CSR, the verification process verifies, in a test 305, that the previous instruction  $I_{i-1}$  does not  
4       continue in sequence. This verification is implemented by a test stagestep 305 when the previous  
5       instruction is an unconditional branchingbranch, a subroutine return or a raisingwithdrawal of an  
6       exception. The test at stagestep 305 is marked as follows:

7            $I_{i-1} = IB_{\text{unconditional, return RSR or raisingwithdrawal}} \text{ L-EXCEPT.}$

8       On a negative response to test 305, the verification process fails in a Failure stagestep.  
9       On the other hand, on a positive response to test 305, the verification process reinitializes the  
10      type stack 306 in such a way that it contains exactly one entry of retaddr type, the return address  
11      of the abovementioned subroutine. If the current instruction  $I_i$  at stagestep 304 is not the target of  
12      a subroutine call, the verification process is continued in the context at the continue B stagestep.

13       With reference to ~~fig~~Fig. 3e, when the current instruction  $I_i$  is the target of an exception  
14      handler, this condition being implemented by a test 307 marked  $I_i = CEM$ , where CEM  
15      designates the target of an exception handler, this condition is implemented by a test 307,  
16      marked:

17            $I_i = CEM.$

18       On a positive response to test 307, the process verifies that the previous instruction is an  
19      unconditional branchingbranch, a subroutine return or a raisingwithdrawal of exceptions by a test  
20      305, marked:

21            $I_{i-1} = IB_{\text{unconditional, return RSR or raisingwithdrawal}} \text{ L-EXCEPT.}$

22       On a positive response to test 305, the verification process proceeds to reupdate the type  
23      stack, at a stagestep 308, by entering with an exception types entry, marked EXCEPT type,

1        stagestep 308 being followed by a context continuation stagestep, continue C. On a negative  
2        response to test 305, the verification process fails bywith the stagestep marked Failure. The  
3        program fragment is then rejected.

4            With reference to figFig. 3f, when the current instruction  $I_i$  is the target of multiple  
5        incompatible branchingsbranches, this condition is implemented by a test 309, which is marked:

6             $I_i = \text{incompatible XIBs}$

7        the incompatible branchingsbranches being, for instance, an unconditional branchingbranch and a  
8        subroutine call, or even two different exception handlers. On a positive response to test 309, the  
9        branchingsbranches being incompatible, the verification process fails bywith a stagestep marked  
10       Failure and the program fragment is rejected. On a negative response to test 309, the verification  
11       process is continued bywith a stagestep marked continue D. Test 309 begins with the continue C  
12       stage which was step mentioned previously in the description.

13            With reference to figFig. 3g, when the current instruction  $I_i$  is not the target of any  
14       branchingbranch, this condition being implemented by a test 310 beginning with the  
15       abovementioned continue D, this test being marked

16             $I_i \exists? \text{branchingbranch targets,}$

17        where  $\exists$  designatesdenotes the existence symbol,

18        the verification process continues on a negative response to the test 310 by passinggoing on to an  
19       update of the type stack at stagestep 311, stagestep 311 and the<sup>2</sup> positive response to test 310  
20       being followed by a context continuation stagestep at stagestep 202, which is described above in  
21       the description with reference to figFig. 3a.

1           A more detailed description of the stage of step for verifying the effect of the current  
2           instruction on the type stack at the abovementioned stagestep 202 will now be given with  
3           reference to figFig. 3h.

4           According to the abovementioned figure, this stagestep can include at least one stagestep  
5           400 of verificationfor verifying that the type execution stack includescontains at least as many  
6           entries as the current instruction includes operands. This test stagestep 400 is marked:

7            $N_{bep} \geq N_{Opi}$

8           where  $N_{bep}$  designatesdenotes the number of entries of the type stack entries and  $N_{Opi}$   
9           designatesdenotes the number of operands includedcontained in the current instruction.

10           On a positive response to test 400, this test is followed by a stagestep 401a effor  
11           unstacking the type stack, and effor verifying 401b that the types of the entries at the top of the  
12           stack are subtypes of the types of the operands of the abovementioned current instruction. At test  
13           stagestep 401a, the operand types of the instruction  $i$  are marked  $TOpi$ , and the types of the  
14           entries at the top of the stack are marked  $Targs$ .

15           At stagestep 401b, the verification corresponds to a verification of the subtyping relation  
16            $Targs$  subtype of  $TOpi$ .

17           On a negative response to tests 400 and 401b, the verification process fails, which is  
18           shown by access to the Failure stagestep. On the other hand, on a positive response to test 401b,  
19           the verification process is continued, and consists in carrying out:

20           

- –A stage of step for verifying the existence of a sufficient memory space on the type  
21           stack to proceed to stack the results of the current instruction. This verification stagestep is  
22           implemented by a test 402, marked:

23            $Stack-space \geq Results-space$

1 where each side of the inequality ~~designates~~denotes the corresponding memory space.

2 On a negative response to test 402, the verification process fails, which is shown by the  
3 Failure ~~stage~~step. On the other hand, on a positive response to test 402, the verification process  
4 then proceeds to stack the data types ~~which are~~ assigned to the results in a ~~stage~~step 403, the  
5 stacking being done on the ~~stack of~~ data types ~~which are~~stack assigned to these results.

6 As a nonlimiting example, it is indicated that to implement ~~fig~~Fig. 3h for verifying the  
7 effect of the current instruction on the type stack, for a current instruction consisting of a  
8 ~~Java~~JAVA saload instruction corresponding to reading an integer element coded on  $p = 16$  bits in  
9 a ~~table of integers~~an integer array, this ~~table of integers~~integer array being defined by the ~~table of~~  
10 ~~integers~~integer array and an integer index in this ~~table~~array, and the result by the integer which is  
11 read at this index in this ~~table~~array, the verification process checks that the type stack contains at  
12 least two elements, that the two elements at the top of the type stack are subtypes of short [ ] and  
13 short respectively, proceeds to the unstacking process and then to the process of stacking the data  
14 type short as the result type.

15 Additionally, with reference to ~~fig~~Fig. 3i, to implement the ~~stage of~~step for verifying the  
16 effect of the current instruction on the type stack, when the current instruction  $I_i$  is a read  
17 instruction, marked IR, of a register of address  $n$ , this condition being implemented by a test 404  
18 marked  $I_i = IR_n$ , on a positive response to the abovementioned test 404, the verification process  
19 consists in verifying the data type of the result of this ~~reading~~read, in a ~~stage~~step 405, by reading  
20 the entry  $n$  in the ~~table of~~ register ~~type~~type array, then in determining the effect of the current  
21 instruction  $I_i$  on the type stack by an operation 406a of unstacking the entries of the stack  
22 corresponding to the operands of this current instruction and by stacking 406b the data type of  
23 this result. The operands of the instruction  $I_i$  are marked  $OP_i$ .—Stages Steps 406a and 406b are

1 followed by a return to the context continuation, continue F. On a negative response to test 404,  
2 the verification process is continued by the context continuation, continue F.

3 With reference to ~~fig~~ Fig. 3j, when the current instruction  $I_i$  is a write instruction, marked  
4 IW, of a register of address n, this condition being implemented by a test marked  $I_i = IW_m$ , on a  
5 positive response to test 407, the verification process consists in determining, in a ~~stage~~ step 408,  
6 the effect of the current instruction on the type stack and the type t of the operand ~~which is~~  
7 written in the register of address n, then, in a ~~stage~~ step 409, in replacing the type entry of the  
8 ~~table of register type~~ ~~type array~~ at address n ~~by~~ with the type immediately above the previously  
9 stored type and above the type t of the operand ~~which is~~ written in the register of address n.  
10 ~~Stage~~ Step 409 is followed by a return to the context continuation, continue 204. On a negative  
11 response to test 407, the verification process is continued by a context continuation, continue  
12 204.

13 As an example, when the current instruction  $I_i$  corresponds to writing a value of type D  
14 into a register of address 1, and the type of register 1 before verification of the instruction was C,  
15 the type of register 1 is replaced by the type object, which is the smallest type ~~which is~~ higher  
16 than C and D in the lattice of types shown in ~~fig~~ Fig. 3b.

17 In the same way, as an example, when the current instruction  $I_i$  is a read of an instruction  
18 `aload-0` consisting in stacking the ~~contents~~ ~~content~~ of register 0, and entry 0 of the ~~table of register~~  
19 ~~type~~ ~~type array~~ is C, the verifier stacks C onto the type stack.

20 An example of verifying a ~~subprogram~~ ~~subroutine~~ written in a ~~Java~~ ~~JAVA~~ environment  
21 will now be given, with reference to tables T3 and T4 in the annex.

22 ~~Table~~ ~~Array~~ T3 represents a specific ~~JavaCard~~ ~~JAVACARD~~ code corresponding to the  
23 Java ~~subprogram~~ ~~which is~~ ~~subroutine~~ included in this ~~table~~ ~~array~~.

1           

|       |       |    |
|-------|-------|----|
| table | Array | T4 |
|-------|-------|----|

 shows the ~~contents~~content of the ~~table~~ of register ~~type~~type array and of the  
2 type stack before verification of each instruction. The type constraints on the operands of the  
3 various instructions are all observed. The stack is empty both after the instruction 5 to branch to  
4 instruction 9, symbolized by the arrow, and before the abovementioned ~~branching~~branch target 9.  
5 The type of register 1, which was initially  $\perp$ , becomes null, the upper bound of null and  $\perp$ , when  
6 instruction 1 to store a value of type null in register 1 is examined, then becomes of type short[ ],  
7 the upper bound of types short[ ] and null, when instruction 8 to store a value of type short [ ] in  
8 register 1 is processed.—~~The~~ Since the type of register 1 ~~having~~has changed during the first  
9 verification pass, a second pass is carried out, ~~distributing~~this time starting from the register  
10 types ~~which~~were obtained at the end of the first. This second verification pass is successful, just  
11 like the first, and does not change the register types. The verification process thus terminates  
12 successfully.

13           Various examples of cases of failure of the verification process on four examples of  
14 incorrect code will now be given with reference to 

|       |       |    |
|-------|-------|----|
| table | array | T5 |
|-------|-------|----|

 in the annex:

15           • At point a) of 

|       |       |    |
|-------|-------|----|
| table | array | T5 |
|-------|-------|----|

, the purpose of the code given as an example is to attempt  
16 to ~~fabricate~~construct an invalid object reference using an arithmetic process on pointers. It is  
17 rejected by verification of the types of arguments of instruction 2 sadd, which requires these two  
18 arguments to be of type short.

19           • At points b) and c) of 

|       |       |    |
|-------|-------|----|
| table | array | T5 |
|-------|-------|----|

, the purpose of the code is to carry out two  
20 attempts to ~~transform~~convert any integer into an object reference. At point b) , register 0 is used  
21 simultaneously with type short, instruction 0, and with type null, instruction 5. Consequently, the  
22 verification process assigns type T to ~~record~~register 0, and detects a type error when register 0 is  
23 returned as a result of type object at instruction 7.

1       • At point c) of tablearray T5, a set of branchingsbranches of type “if . . . then . . . else .

2       . . .” is used to leave at the top of the stack a result which consists of either an integer or an object  
3       reference. The verification process rejects this code because it detects that the stack is not empty  
4       at the branchingbranch from instruction 5 to instruction 9, symbolized by the arrow.

5       • Finally, at point d) of tablearray 5, the code contains a loop which, at on each iteration,

6       has the effect of stacking an additional integer on the top of the stack, and thus causing a stack  
7       overflow after a certain number of iterations. The verification process rejects this code,  
8       noticingobserving that the stack is not empty at the backward branchingbranch from instruction 8  
9       to instruction 0, symbolized by the return arrow, the stack not being empty at a branchingbranch  
10      point.

11      The various examples given above with reference to tables T3, T4 and T5 show that the  
12      verification process, which is the subject of the present invention, is particularly  
13      efficien~~te~~effective, and that it applies to applets, and in particular to subprogramssubroutines  
14      thereof, for which the conditions of stack type, or respectively of the empty character of the type  
15      stack, previously, and to on the branchingbranch or branch target instructions or branching  
16      targets, are satisfied.

17      Obviously, such a verification process implies writing object codes which satisfy these  
18      criteria, these object codes possibly corresponding to the sub programsubroutine in the  
19      abovementioned tablearray T3.

20      However, and in order to ensure the verification of existing applets and  
21      subprogramssubroutines of applets which do not necessarily satisfy the verification criteria of the  
22      method which is the subject of the present invention, in particular regarding applets and  
23      subprograms which are subroutines written in the Java environment, the purpose of the present

1 invention is to establish methods of transforming these applets or ~~subprogramssubroutines~~ into  
2 standardized applets or program fragments, ~~making it possible to undergo that can~~ successfully  
3 undergo the verification tests of the verification method which is the subject of the present  
4 invention and of the management ~~protoeolprocess~~ which implements such a method.

5 For this purpose, the subject of the invention is the implementation of a method and a  
6 program for transforming a ~~traditionalconventional~~ object code forming an applet, it being  
7 possible to implement this method and this transformation program, outside an ~~on-~~  
8 ~~boardembedded~~ system or microprocessor card, when the relevant applet is created.

9 The method of transforming code into standardized code, which is the subject of the  
10 present invention, will now be described in the framework of the ~~JavaJAVA~~ environment, as a  
11 purely illustrative example.

12 The JVM codes ~~which are~~ produced by existing ~~JavaJAVA~~ compilers satisfy various  
13 criteria, which are stated below:

14 C1: the arguments of each instruction ~~actuallydo~~ belong to the types which this  
15 instruction expects;

16 C2: the stack does not overflow;

17 C'3: for each ~~branchingbranch~~ instruction, the type of the stack at this ~~branchingbranch~~  
18 is the same as at the possible targets for this ~~branchingbranch~~;

19 C'4: a value of type t ~~which is~~ written into a register at one point of the code and  
20 ~~rereadread back~~ from the same register at another point of the code is always  
21 ~~rereadread back~~ with the same type t;

1           The implementation of the verification method which is the subject of the present  
2 invention ~~implies that entails~~ criteria C'3 and C'4, ~~which are~~ verified by the object code ~~which is~~  
3 submitted for verification, ~~being~~ replaced by criteria C3 and C4 below:

4           C3: the stack is empty at each ~~branching~~branch instruction and at each  
5           ~~branching~~branch target;

6           C4: the same register is used with one and the same type throughout the code of a  
7           subprogram-subroutine.

8           With reference to the abovementioned criteria, it is indicated that Java compilers  
9 guarantee only the weaker criteria C'3 and C'4. The verification process which is the subject of  
10 the present invention and the corresponding management ~~process~~protocol in fact guarantee more  
11 restrictive criteria C3 and C4, making it possible to ensure the security of execution and  
12 management of applets.

13           The concept of standardization, covering the transformation of codes into standardized  
14 codes, can present various aspects, ~~to~~inasmuch as the extent that replacement of criteria C'3 and  
15 C'4 by criteria C3 and C4, in conformityaccordance with the verification process which is the  
16 subject of the present invention, can be implemented independentlyseparately, to ensure that the  
17 stack is empty at each ~~branching~~branch instruction and at each ~~branching~~branch target, and  
18 respectively that the registers which the applet opens are typed, and a single data type which is  
19 assigned for execution of the relevant applet corresponds to each open register, or, on the other  
20 hand, jointly, to satisfy the whole of the verification process which is the subject of the present  
21 invention.

22           The method of transforming an object code into standardized object code ~~as claimed~~  
23 in accordance to the invention will consequently be described ~~as claimed in accordance to~~ two

1 distinct implementation modeembodiments, a first implementation modeembodiment  
2 corresponding to the transformation of an object code which satisfies criteria C1, C2, C'3, C'4  
3 into a standardized object code which satisfies criteria C1, C2, C3, C'4 corresponding to a  
4 standardized code with an empty branchingbranch instruction or branchingbranch target, then, as  
5 claimed in accordance to a second implementation modeembodiment, in which the  
6 traditionalconventional object code which satisfies the same initial criteria is transformed into a  
7 standardized object code which satisfies criteria C1, C2, C'3, C4, for instance corresponding to a  
8 standardized code using typed registers.

9 The first implementation modeembodiment of the code transformation method which is  
10 the subject of the present invention will now be described with reference to fig Fig. 4a. In the  
11 implementation mode which isembodiment shown in fig Fig. 4a, the initial  
12 traditionalconventional code is considered to satisfy criteria C1+C2+C'3, and the standardized  
13 code which is obtained as the result of the transformation is considered to satisfy criteria  
14 C1+C2+C3.

15 According to the abovementioned figure, the transformation method consists, for each  
16 current instruction  $I_i$  of the code or of the subprogramsubroutine, in annotating each instruction,  
17 in a stagestep 500, with the data type of the stack before and after execution of this instruction.  
18 The annotation data is marked  $AI_i$  and is associated by the relation  $I_i \leftrightarrow \underline{\leftrightarrow} AI_i$  with in the  
19 relevant current instruction. The annotation data is calculated by means of an analysis of the data  
20 stream relating to this instruction. The data types before and after execution of the instruction are  
21 marked  $tbe_i$  and  $tae_i$  respectively. Calculation of annotation data by analysis of the data stream is  
22 a traditionalconventional calculation which is known to those skilled in the art, and will therefore  
23 not be described in detail.

1           The operation ~~which is implemented~~carried out at stagestep 500 is illustrated in tablearray  
2           T6 in the annex, in which, for an applet or ~~subprogram of an applet~~subroutine including 12  
3           instructions, the annotation data  $AI_i$  made up of the types of registers and the types of the stack  
4           ~~are~~is introduced.

5           The abovementioned stagestep 500 is then followed by a stagestep 500a consisting in  
6           positioning the index  $i$  on the first instruction  $I_i = I_1$ . Stage $I_1$ . Step 500a is followed by a stagestep  
7           501 consisting in detecting, among the instructions and in each current instruction  $I_i$ , the  
8           existence of ~~branchingsbranches~~ marked IB or of ~~branchingbranch~~ targets CIB for which the  
9           execution stack is not empty. This detection 501 is implemented by a test which is carried out on  
10           the basis of the annotation data  $AI_i$  of the type of stack variables allocated to each current  
11           instruction, the test being marked for the current instruction:

12            $I_i$  is an IB or CIB and stack  $(AI)$   $\neq$  empty.

13           On a positive response to test 501, i.e. in the presence of detection of a non-empty  
14           execution stack, the abovementioned test is followed by a stagestep consisting in inserting  
15           instructions to transfer stack variables on either side of these ~~branchingsbranches~~ IB or  
16           ~~branchingbranch~~ targets CIB, in order to empty the content of the execution stack into temporary  
17           registers before this ~~branchingbranch~~ and to reestablish the execution stack from the temporary  
18           registers after this ~~branchingbranch~~. The insertion stagestep is marked 502 in ~~fig~~Fig. 4a. It is  
19           followed by a stagestep 503 to test the reaching of the last instruction, marked

20            $I_i = \text{last instruction?}$

21           On a negative response to ~~the~~ test 503, an increment 504  $i=i+1$  is carried out, to go on to the next  
22           instruction and return to stagestep 501. On a positive response to test 503, an End stagestep is  
23           initiated. On a negative response to test 501, the transformation method is continued by a

1        branchingbranch to stagestep 503 in the absence of insertion of a transfer instruction.—  
2        Implementation The implementation of the method of transforming a traditionalconventional  
3        code into a standardized code with branchingbranch instruction with empty stack as represented  
4        in figFig. 4a makes it possible to obtain a standardized object code for the same initial program  
5        fragment in which the stack of stack variables is empty at each branchingbranch instruction and  
6        each branching\_branch target instruction, in the absence of any modification to the execution of  
7        the program fragment. In the case of a Java environment, the instructions to transfer data  
8        between stack and register are the load and store instructions of the Java virtual machine.

9        Returning to the example introduced in tablearray T6, the transformation method detects  
10      a branchingbranch target where the stack is not empty at instruction 9.—The method is then to  
11      insert an An instruction istore 1 is then inserted before the branchingbranch instruction 5 which  
12      leads to the above-mentionedabovementioned instruction 9, in order to save the content of the  
13      stack in register 1 and ensure that the stack is empty at the time of the branching\_branch.  
14      Symmetrically, an instruction iload 1 is inserted before the instruction target 9, to reestablish the  
15      content of the stack exactly as it was before the branching\_branch. Finally, an instruction istore 1  
16      is inserted after instruction 8 to ensure that the stack is balanced on the two paths which lead to  
17      instruction 9. The result of the transformation carried out in this way into a standardized code is  
18      shown in tablearray T7.

19        The second implementation modeembodiment of the transformation method which is the  
20      subject of the present invention will now be described with reference to figFig. 4b in the case in  
21      which the initial traditionalconventional object code satisfies criteria C1C1+C'4 and the  
22      standardized object code satisfies criteria C1+C4.

1           With reference to the abovementioned ~~fig~~Fig. 4b, it is indicated that the method, in this  
2 ~~implementation mode embodiment~~, consists in annotating, ~~as claimed in a stage according to a~~  
3 ~~step~~ 500 which is approximately the same as that ~~which is shown in fig~~Fig. 4a, each current  
4 instruction  $I_i$  with the data type of register data the registers before and after execution of this  
5 instruction. In the same way, the annotation data  $AllA_i$  is calculated by means of an analysis of  
6 the data stream relating to this instruction.

7           The annotation ~~stage~~step 500 is then followed by a ~~stage~~step consisting in carrying out a  
8 reallocation of the registers, the ~~stage~~step marked 601, by detecting the original registers  
9 employed with different types, ~~by and~~ dividing these original registers into separate standardized  
10 registers, one standardized register being allocated to each data type used.—~~Stage~~Step 601 is  
11 followed by a ~~stage~~step 602 ~~effor~~ reupdating the instructions which manipulate the operands  
12 which use the abovementioned standardized registers. ~~Stage~~Step 602 is followed by a context  
13 continuation ~~stage~~step 302.

14           With reference to the example given in tablearray T6, it is indicated that the  
15 transformation method detects that the register of rank 0, marked  $r0, r0$ , is used with the two  
16 types, object, instructions 0 and 1, and int, instruction 9 and following. ~~The method is then to~~  
17 ~~divide the original register r0, r0 is then divided~~ into two registers, register 0 for the use of object  
18 types and register 1 for uses of int type. References to ~~record~~register 0 of int type are then  
19 rewritten by transforming them into references to ~~record~~register 1, the standardized code obtained  
20 being shown in tablearray T8 in the annex.

21           It is noted, in a nonlimiting way, that in the example ~~which is introduced with reference~~  
22 to the abovementioned tablearray T8, the new register 1 is used simultaneously for

1 standardization of the stack and for the creation of typed registers by dividing of register 0 into  
2 two registers.

3 The method of transforming a traditionalconventional code into a standardized code with  
4 branchingbranch instruction with empty stack as described in figFig. 4a will now be described in  
5 more detail in a preferred, nonlimiting implementation-modeembodiment, in relation to figFig.  
6 5a.

7 This implementation-modeembodiment concerns stagestep 501, consisting in detecting,  
8 within the instructions and within each current instruction  $I_i$ , the existence of branchingbranch  
9 IB, or respectively of branchingbranch target CIB, for which the stack is not empty.

10 Following the determination of target instructions where the stack is not empty, this  
11 condition being marked at stagestep 504a,  $I_i$  stack  $\neq$  empty, the transformation process consists  
12 in associating with these instructions, at the abovementioned stagestep 504a, a set of new  
13 registers, one perfor each stack location which is active at these instructions. Thus, if  $i$   
14 designatesdenotes the rank of a branchingbranch target of which the associated stack type is not  
15 empty and is of type  $tp_1, tp_1$  to  $tp_n$  with  $n > 0$ , stack not empty, the transformation process  
16 allocates  $n$  new, as yet unused, registers,  $r_1$  to  $r_n$ , and associates them with the corresponding  
17 instruction  $i$ . This operation is implemented at stagestep 504a.

18 StageStep 504a is followed by a stagestep 504 consisting in examining each detected  
19 instruction of rank  $i$  and identifying, in a test stagestep 504, the existence of a branchingbranch  
20 target CIB or of a branchingbranch IB.—StageStep 504 is shown in the form of a test designated  
21 by:

22 3E? CIB, IB and  $I_i = CIB$ .

1           In the case ~~that~~where the instruction of rank  $i$  is a ~~branching~~branch target CIB represented  
2           by the preceding equality, and ~~that~~where the stack of stack variables at this instruction is not  
3           empty, i.e. with a positive response to test 504, for everyany preceding instruction of rank  $i-1$   
4           consisting of a ~~branching~~branch, a ~~raising~~withdrawal of an exception or a program return, this  
5           condition is implemented at test ~~stage~~step 505, designated by:

6            $I_{i-1} = IB$ , EXCEPT ~~raising~~withdrawal, Prog, return.

7           The detected instruction of rank  $i$  is only accessible by a ~~branching~~branch. On a positive  
8           response to the abovementioned test 505, the transformation process consists in carrying out a  
9           ~~stage~~step 506 consisting in inserting a set of load instructions of load type from the set of new  
10           registers before the relevant detected instruction of rank  $i$ . The insertion operation 506 is  
11           followed by a redirection 507 of all ~~branchings~~branches to the detected instruction of rank  $i$ , to  
12           the first inserted load instruction load. The insertion and redirection operations are shown in  
13           

14           For everyany preceding instruction of rank  $i-1$  continuing in sequence, i.e. when the  
15           current instruction of rank  $i$  is accessible simultaneously by a ~~branching~~branch and from the  
16           preceding instruction, this condition being implemented by test 508 and symbolized by the  
17           relations:

18                    $I_{i-1} \rightarrow I_i$

19                   And

20                   and

21                    $IB \rightarrow I_i$

22           the transformation process consists, in a ~~stage~~step 509, in inserting a set of ~~backup~~store  
23           instructions store to back-upsave to the set of new registers before the detected instruction of rank

1 i, and a set of load instructions load to load from this set of new registers. Stage Step 509 is then  
2 followed by a stagestep 510 of redirection offor redirecting all the branchingsbranches to the  
3 detected instruction of rank i to the first inserted load instruction load.

4 In the case thatwhere the detected instruction of rank i is a branchingbranch to a  
5 determined instruction, for any detected instruction of rank i consisting of an unconditional  
6 branchingbranch, this condition being implemented by a test 511 marked:

7  $I_{i+1} = IB_{uncondit.}$

8 the transformation process as shown in figFig. 5a consists in inserting at a stagestep 512, on a  
9 positive response to test 511, before the detected instruction of rank i, multiple backupstore  
10 instructions-store. The transformation process inserts before the instruction i the n store  
11 instructions-store as shown in tablearray T11 as an example. The store instructions-store address  
12 registers r1 to rn, where n designatesdenotes the number of registers. Thus the backupstore  
13 instruction is associated with each new register.

14 For every detected instruction of rank i consisting of a conditional branchingbranch, and  
15 for a number mOp, greater than 0, of operands manipulated by this- conditional branchingbranch  
16 instruction, this condition being implemented by the test 513 marked:

17  $I_{i+1} = IB_{condit.}$

18 with  $mOp > 0$

19 the transformation process, inon a positive response to the abovementioned test 513, consists of  
20 inserting, at a stagestep 514 before this detected instruction of rank i, a permutationswap  
21 instruction marked swap\_x at the top of the stack of stack variables of the mOp operands of the  
22 detected instruction of rank i and the n following values. This permutationswap operation makes  
23 it possible to collect at the top of the stack of stack variables the n values to be backed-upstored

1 in the set of new registers  $r_1$  to  $r_n$ . StageStep 514 is followed by a stagestep 515 consisting in  
2 inserting, before the instruction of rank  $i$ , a set of backupstore instructions store to back-upsave to  
3 the set of new registers  $r_1$  to  $r_n$ . The abovementioned insertion stagestep 515 is itself followed  
4 by a stagestep 516 effor insertion, after the detected instruction of rank  $i$ , of a set of load  
5 instructions load to load from the set of new registers  $r_1$  to  $r_n$ . The set of corresponding  
6 insertion operations is shown in tablearray 12 in the annex.

7 For reasons of completeness and with reference to figFig. 5a, it is indicated that, on a  
8 negative response to test 504, the continuation of the transformation process is implemented by a  
9 context continuation stagestep, continue 503, that the negative response to tests 505, 508, 511  
10 and 513 is itself followed by a continuation of the transformation process via a context  
11 continuation stagestep, continue 503, and that the same applies to the continuation of operations  
12 after the abovementioned redirection stagessteps 507 and 510 and insertion stagessteps 512 and  
13 516.

14 A more detailed description of the method of standardizing and transforming an object  
15 code into a standardized object code using typed registers as described in figFig. 4b will now be  
16 given with reference to figFig. 5b. This implementation modeembodiment concerns, more  
17 particularly, a nonlimiting, preferred implementation mode of stageembodiment of step 601 to  
18 reallocatefor reallocating the registers by detecting the ‘original registers used with different  
19 types.

20 With reference to the abovementioned figFig. 5b, it is indicated that the abovementioned  
21 stagestep 601 consists in determining, in a stagestep 603, the lifetime intervals marked  $ID_j$  of  
22 each register  $r_j$ . These lifetime intervals, designatedcalled “*live range*” or “*webs*”, are defined  
23 for a register  $r$  as a maximum set of partial traces such that register  $r$  is live at all points of these

1 traces. For a more detailed definition of these concepts, it is useful to refer to the work edited by  
2 Steven S. MUCHNICK entitled “Advanced Compiler Design and Implementation”, Section 16.3,  
3 Morgan KAUFMANN, 1997. Stage Step 603 is designated by the relation:

4  $ID_j \leftrightarrow \overleftarrow{\longrightarrow} r_j$

5 as ~~claimed in~~ according to which a corresponding lifetime interval  $ID_j$  is associated with each  
6 register  $r_j$ .

7 The abovementioned stagestep 603 is followed by a stagestep 604 consisting in  
8 determining, at stagestep 604, the main data type, marked  $tp_j$ , of each lifetime interval  $ID_j$ . The  
9 main type of a lifetime interval  $ID_j$ , for a register  $r_j$ , is defined by the upper bound of the data  
10 types stored in this register  $r_j$  by the backupstore instructions store—belonging to the  
11 abovementioned lifetime interval.

12 StageStep 604 is itself followed by a stagestep 605 consisting in establishing an  
13 interference graph between the lifetime intervals as defined above at stagessteps 603 and 604,  
14 this interference graph consisting of a non-oriented graph of which each peak consists of a  
15 lifetime interval, and of which the arcs, marked  $a_{j1, j2}$  on ~~fig~~ Fig. 5b, between two peaks  $ID_{j1}, ID_{j2}$   
16 and  $ID_{j2}$ , exist if a peak contains a backupstore instruction addressed to the register of the other  
17 peak or vice versa. In ~~fig~~ Fig. 5b, the construction of the interference graph is shown  
18 symbolically, it being possible to implement this construction on the basis of calculation  
19 techniques ~~which are~~ known to those skilled in the art. For a more detailed description of the  
20 construction of this type of graph, it is useful to refer to the work published by Alfred V. AHO,  
21 Ravi SETHI and Jeffrey D. ULLMAN entitled “Compilers: principles, techniques, and tools”,  
22 Addison-Wesley 1986, Section 9.7.

1        Following stagestep 605, the standardization method as shown in fig. 5b consists in  
2        translating, in a stagestep 606, the uniqueness of a data type which is allocated to each register  $r_j$   
3        in the interference graph, by adding arcs between all pairs of peaks of the interference graph  
4        while two peaks of a pair of peaks do not have the same associated main data type. It is  
5        understood that the translation of the uniqueness character of uniqueness of a data type which is  
6        allocated to each register obviously corresponds to ~~translating and taking into account the~~  
7        ~~translation and recognition~~ criterion C4 in the interference graph, this criterion being mentioned  
8        previously in the description. The abovementioned stagestep 606 is then followed by a stagestep  
9        607 in which an instantiation of the interference graph is carried out, this instantiation being  
10        more commonly ~~designated~~known as the ~~painting~~stagecoloring step of the interference graph as  
11        ~~claimed in accordance to~~ the usual techniques. During stagestep 607, the transformation process  
12        assigns to each lifetime interval  $ID_{jk}$  a register number  $rk$ , in such a way that two adjacent  
13        intervals in the interference graph receive different register numbers.

14        This operation can be implemented on the basis of any suitable process. As a nonlimiting  
15        example, it is indicated that a preferred process can consist:

- 16        a)        in choosing a peak of minimum degree in the interference graph, minimum degree  
17                being defined as a minimum number of adjacent peaks, and ~~with~~  
18                ~~drawing~~removing it from the graph. This stagestep can be repeated until the graph  
19                is empty.
- 20        b)        Each previously ~~withdrawn~~removed peak is reintroduced into the interference  
21                graph in the ~~inverser~~reverse order of their ~~withdrawal~~removal, the last to be  
22                removed being the first to be reintroduced, and successively in the ~~inverser~~reverse  
23                order of the order of ~~withdrawal~~removal. Thus the smallest register number

which is different from the numbers assigned to all the adjacent peaks can be assigned to each reintroduced peak.

Finally, by stagestep 602, shown in figFig. 4b, the transformation and reallocation process rewrites the register access instructions tothe registers in the code of the subprogramsubroutine of the relevant applet. Access to a given register in the corresponding lifetime interval is replaced by access to a different register, the number of which has been assigned during the instantiation phase, also designated the paintingcoloring phase.

A more detailed description of an on-boardembedded data-processing system, making it  
possible to implement for implementing the management protocolprocess and verification  
process of a program fragment or applet as claimed in accordance with the subject of the present  
invention, and of a development system of an applet, will now be given with reference to figFig.  
6.

Regarding the corresponding ~~on-board~~embedded system with reference 10, it is recalled that this ~~on-board~~embedded system is a reprogrammable-type system, including the essential components as shown in ~~fig~~Fig. 1b. The abovementioned ~~on-board~~embedded system is considered to be interconnected to a terminal by a serial link, the terminal itself being linked, for instance via a local area network, if appropriate a ~~remote~~wide area network, to an applet development computer with reference 20. On the ~~on-board~~embedded system ~~10 runs 10~~, a main program runs which reads and executes the commands ~~which sent by~~ the terminal ~~sends on over~~ the serial link. Additionally, the standard commands for a microprocessor card, such as for instance the standard commands of the ISO 7816 protocol, can be implemented, ~~and~~ the main program ~~recognizes~~recognizing two additional commands, one for ~~remote~~ loading

1        ~~of~~downloading an applet, and the other for selecting an applet which has previously been loaded  
2        onto the microprocessor card.

3        In conformityaccordance with the subject of the present invention, the structure of the  
4        main program is implemented in such a way as to include at least one program module for  
5        management and verification of a downloaded program fragment, followingaccordingto the  
6        protocolprocess for managing a downloaded program fragment as described above in the  
7        description with reference to ~~fig~~Fig. 2.

8        Additionally, the program module also includes a subprogramsubroutine module to verify  
9        a downloaded program fragment, followingaccordingto the verification method as described  
10      above in the description with reference to ~~figs~~Figs. 3a to 3j.

11      For this purpose, the structure of the memories, in particular the non-writable permanent  
12      memory ROM, is modified in such a way as to include in particular, ~~apart from~~inadditionto the  
13      main program, a protocolprocess management and verification module ~~17,17~~17 and a virtual  
14      machine ~~16~~16 for interpreting the software code, as mentioned above. Finally, regarding the  
15      nonvolatile rewritable memory of EEPROM type, this advantageously includes a directory of  
16      applets, marked 18, ~~making it possible to implement~~for implementing the management  
17      protocolprocess and the verification process which are the subjects of the present invention.

18      With reference to the same ~~fig~~Fig. 6, it is indicated that the applet development system  
19      conforming to the subject of the present invention, in fact ~~making it possible to transform a~~  
20      ~~traditional~~for transforming a conventional object code as mentioned above in the description, and  
21      satisfying criteria C1+C2+C13'+C'4 in the framework of the Java environment, into a  
22      standardized object code for the same program fragment, includes, associated with a  
23      ~~traditional~~conventional Java compiler 21, a code transformation module, marked 22, which

1 proceeds to transform code into standardized code as claimed in accordance to the first and second  
2 ~~implementation modes~~embodiments described above in the description with reference to ~~figs~~Fig  
3 §. 4a, 4b and 5a, 5b. It is in fact understood that, on the one hand, standardization of the original  
4 object code into a standardized object code with ~~branching~~branch instruction with empty stack  
5 and into a standardized code using typed registers, on the other hand, as mentioned previously in  
6 the description, makes it possible to satisfy verification criteria C3 and C4, ~~which are~~4 imposed  
7 by the verification method which is the subject of the present invention.

8 The code transformation module 22 is followed by a ~~JavaCard~~JAVACARD  
9 converter 23, which makes it possible to ~~ensure transmission by a remote~~transmit via a wide area  
10 or local area network to the terminal and, via the serial link, to the microprocessor card 10. Thus  
11 the applet development system 20 shown in fig. 6 ~~makes it possible~~is used to transform the  
12 compiled class files produced by the Java compiler 21 from the ~~Java~~JAVA source codes of the  
13 applet into class files which are equivalent, but which observe the additional constraints C3, C4  
14 ~~which are~~-imposed by the management ~~protocol~~process and the verification module 17 embedded  
15 on-board the microprocessor card 10. These transformed class files are ~~transformed~~converted  
16 into a ~~downloadable~~an applet ~~on~~which can be downloaded to the card by the standard ~~JavaCard~~  
17 JAVACARD converter 23.

18 Various particularly noteworthy components of the set of ~~protocol~~process components,  
19 methods and systems which are the subjects of the present invention will now be given for  
20 information only.

21 Compared to the verification processes of the prior art as mentioned in the introduction to  
22 the description, the verification method which is the subject of the present invention appears  
23 noteworthy in that it concentrates the verification effort on the typing properties of the operands

1 which are essential to the security of execution of each applet, i.e. observing the type constraints  
2 associated with each instruction and absence of stack overflow. Other verifications do not appear  
3 to be essential in terms of security, in particular verification that the code correctly initializes  
4 every register before reading it for the first time. On the contrary, the verification method which  
5 is the subject of the present invention operates by initializing to zero all the registers from the  
6 virtual machine when the method is initialized, to guarantee that reading a non-initialized register  
7 cannot compromise the security of the card.

8 Additionally, the ~~demanded requirement~~ imposed by the verification method which is the  
9 subject of the present invention, ~~as claimed in accordance to~~ which the stack must be empty at each  
10 ~~branching branch~~ or ~~branching branch~~ target instruction, ~~guarantees ensures~~ that the stack is in the  
11 same state, empty, after execution of the ~~branching branch~~ and before execution of the instruction  
12 to which the program has branched. This ~~mode of operation guarantees procedure ensures~~ that  
13 the stack is in a consistent state, whatever the execution ~~route path~~ which is followed through the  
14 code of the relevant ~~subprogram subroutine~~ or applet. The consistency of the stack is thus  
15 guaranteed even in the presence of a ~~branching branch~~ or ~~branching branch~~ target. Contrary to the  
16 methods and systems of the prior art, in which it is necessary to ~~conserves retain~~ in random-access  
17 memory the type of the stack at each ~~branching branch~~ target, which necessitates a quantity of  
18 random-access memory proportional to  $TpxNb$ , the product of the maximum size of execution  
19 stack ~~which is used~~ and the number of ~~branching branch~~ targets in the code, the verification  
20 method which is the subject of the present invention only needs the type of the execution stack at  
21 the time of the instruction during verification, and it does not keep in memory the type of this  
22 stack at other points of the code. Consequently, the method which is the subject of the invention

1 is satisfied with a quantity of random-access memory proportional to  $T_p$  but independent of  $N_b$ ,  
2 and consequently of the length of the code of the ~~subprogram~~subroutine or applet.

3 The requirement ~~as claimed in accordance to~~ criterion C4, ~~as claimed in accordance to~~ which  
4 a given register must be used with one and the same type throughout the code of a ~~subprogram~~,  
5 ~~guarantees~~subroutine, ensures that the abovementioned code does not use a register in an  
6 inconsistent way, e.g. by writing a short integer to it at one point of the program and rereading it  
7 as an object reference at another point of the program.

8 In the verification processes ~~which are~~ described in the prior art, in particular in the  
9 previously mentioned Java specification entitled "The Java Virtual Machine Specification",  
10 edited by Tim LINDHOLM and Frank YELLIN, to guarantee the consistency of the  
11 abovementioned uses through the ~~branching~~branch instructions, it is necessary to keep in  
12 random-access memory a copy of the ~~table of register type~~type array at each ~~branching~~branch  
13 target. This operation necessitates a quantity of random-access memory proportional to  $T_r \times N_b$ ,  
14 where  $T_r$  ~~designates~~denotes the number of registers used by the ~~subprogram~~subroutine and  $N_b$  the  
15 number of ~~branching~~branch targets in the code of this ~~subprogram~~subroutine.

16 On the contrary, the verification process which is the subject of the present invention  
17 operates on a global ~~table of register type~~type array without keeping a copy at different points of  
18 the code in random-access memory. Consequently, the random-access memory ~~which is required~~  
19 to implement the verification process is proportional to  $T_r$  but independent of  $N_b$ , and  
20 consequently of the length of the code of the relevant ~~subprogram~~subroutine.

21 The constraint ~~as claimed in accordance to~~ which a given register is used with the same  
22 type at all points, i.e. at every instruction of the relevant code, simplifies appreciably and  
23 significantly the verification of ~~subprograms~~subroutines. On the contrary, in the verification

1 processes of the prior art, in the absence of such a constraint, the verification process must  
2 establish that the subprogramssubroutines observe a strict stack discipline, and must verify the  
3 body of the subprogramssubroutines polymorphously regarding the type of certain registers.

4 In conclusion, the verification process which is the subject of the present invention,  
5 compared to the techniques of the prior art, makes it possible, on the one hand, to reduce the size  
6 of the code of the program eode which makes it possible to carryfor carrying out the verification  
7 method, and on the other hand, to reduce the consumption of random-access memory during the  
8 verification operations, the degree of complexity being of the form  $O(T_p+P_r)$  in the case of the  
9 verification process which is the subject of the present invention, instead of  $(\theta O(T_p+T_r) x N_b)$  for  
10 the verification process of the prior art, while however offering the same guarantees  
11 aboutregarding the security of execution of the verified code.

12 Finally, the process of transforming original traditionalconventional code into  
13 standardized code is implemented by localized transformation of the code without transmitting  
14 additional information to the verifier component, i.e. the microprocessor card or on-  
15 boardembedded data-processing system.

16 Regarding the method of reallocating registers as described in figs. 4b and 5b, this  
17 method differs from the known methods of the prior art, as described in particular in US Patents  
18 4,571,678 and 5,249,295, by the fact that:

19     • the register reallocation ensures that the same register cannot be assigned to two  
20 intervals with different main types, which thus guaranteesensures that a given register is used  
21 with the same type throughout the code; and

22     • the existing register allocation algorithms, which are described in the abovementioned  
23 documents, assume a fixed number of registers, and attempt to minimize the transfers, called

1       “spills”, between registers and stack, whereas reallocation of registers as ~~claimed in accordance~~  
2       with the subject of the present invention operates in a framework where the total number of  
3       registers is variable, as a consequence of which there is no purpose in carrying out transfers  
4       between registers and stacks when a process of minimizing the total number of registers is  
5       carried out. implemented.

6       The protocolprocess for managing a program fragment downloaded ~~onto~~ an ~~on~~  
7       ~~board~~embedded system, and the methods of verifying this downloaded program fragment and  
8       respectively of transforming this object code of a downloaded program fragment ~~respectively~~,  
9       which are the subjects of the present invention, can of course be implemented ~~in~~by software.

10       Therefore, the present invention also concerns a computer program product which can be  
11       loaded directly into the internal memory of a reprogrammable ~~on~~boardembedded system, this  
12       ~~on~~boardembedded system making it possible to download a program fragment consisting of an  
13       object code, a series of instructions, executable by the microprocessor of the ~~on~~boardembedded  
14       system by waymeans of a virtual machine equippedprovided with an execution stack and with  
15       local registers or variables manipulated ~~via~~by these instructions ~~so~~so that this object code can be  
16       interpreted. The corresponding computer program product includes portions of object code to  
17       execute the protocolprocess for managing a program fragment downloaded ~~onto~~ this ~~on~~boardembedded  
18       system, as shown in ~~figs~~Figs. 2 and 6 described above in the description, when  
19       this ~~on~~boardembedded system is interconnected ~~to~~with a terminal and this program is executed  
20       by the microprocessor of this ~~on~~boardembedded system by waymeans of the virtual machine.

21       The invention also concerns a computer program product which can be loaded directly  
22       into the internal memory of a reprogrammable ~~on~~boardembedded system, such as a  
23       microprocessor card with a rewritable memory, as shown with reference to ~~fig~~Fig. 6. This

1 computer program product includes portions of object code to execute the ~~stages-of~~steps for  
2 verifying a program fragment downloaded ~~onto~~to this ~~on-board~~embedded system, as shown and  
3 described above in the description, with reference to ~~figs~~Figs. 3a to 3j. This verification is  
4 executed when this ~~on-board~~embedded system is interconnected ~~to~~with a terminal and this  
5 program is executed by the microprocessor of this ~~on-board~~embedded system ~~via~~by means of the  
6 virtual machine.

7 The invention also concerns a computer program product; this computer program product  
8 includes portions of object code to execute the ~~stages~~steps of the method of transforming the  
9 object code of a program fragment into standardized object code for this same program fragment,  
10 as shown in ~~figs~~Figs. 4a, 4b, 5a, 5b and 6, and described above in the description.

11 The present invention also concerns a computer program product which is ~~recorded~~stored  
12 on a medium which can be used in a reprogrammable ~~on-board~~embedded system, e.g. a  
13 microprocessor ~~equipped~~provided with a rewritable memory, this ~~on-board~~embedded system  
14 ~~making it possible~~being used to download a program fragment consisting of an object code  
15 executable by this microprocessor, by ~~way~~means of a virtual machine ~~equipped~~provided with an  
16 execution stack and local variables or registers manipulated ~~via~~by these instructions, to  
17 ~~allow~~enable interpretation of this object code. The abovementioned computer program product  
18 includes, at least, a module of programs which can be read by the microprocessor of the ~~on-~~  
19 ~~board~~embedded system ~~via~~by means of the virtual machine, to ~~command~~control the execution of  
20 a procedure for managing the downloading of a downloaded program fragment, as shown in  
21 ~~fig~~Fig. 2 and described above in the description, a module of programs which can be read by the  
22 microprocessor ~~via~~by means of the virtual machine, to ~~command~~control the execution of a  
23 procedure for verifying, instruction by instruction, the object code which makes up this program

1 fragment, as shown and described in relation to ~~figs~~Figs. 3a to 3j in the description above, and a  
2 module of programs which can be read by the microprocessor of this ~~on-board~~embedded system  
3 viaby means of the virtual machine, to commandcontrol the execution of a downloaded program  
4 fragment following or in the absence of a transformation of the object code of this program  
5 fragment into a standardized object code for this same program fragment, as shown in ~~fig~~Fig. 2.

6 The abovementioned computer program product also includes a module of programs  
7 which can be read by the microprocessor viaby means of the virtual machine, to commandcontrol  
8 the inhibition of execution, on the ~~on-board~~embedded system, of the program fragment in the  
9 case of an unsuccessful verification procedure ~~of~~on the abovementioned program fragment, as  
10 shown and described above in the description with reference to ~~fig~~Fig. 2.

11 What is claimed is:

1

## ANNEXES

2

3

45

~~#4513354~~ v1

# 4597691\_v1



TABLE 2

Pseudo-code of verifier module

PSEUDO-CODE OF VERIFIER MODULE

5

Global variables used:

$T_r$  number of registers declared by current method  
 $T_p$  maximum size of stack declared by current method  
 $tr[T_r]$  table of register types (402 in fig. 4)  
10  $tp[T_p]$  stack type (403 in fig. 4)  
 $pp$  stack pointer (404 in fig. 4)  
 $chg$  flag indicating whether  $tr$  has changed

Initialize  $pp \rightarrow 0$

Initialize  $tp[0] \dots tp[n-1]$  from types of  $n$  arguments of method

15 Initialize  $tp[n] \dots tp[T_r-1]$  to  $\perp$

Initialize  $chg$  to true

While  $chg$  is true:

    Reset  $chg$  to false

    Position on first instruction of method

20 While end of method is not reached:

    If current instruction is target of a branching instruction:

        If  $pp \neq 0$ , verification fails

        If current instruction is target of a subroutine call:

            If previous instruction continues in sequence, failure

            Take  $tp[0] \leftarrow \text{etaddr}$  and  $pp \leftarrow 1$

25 If current instruction is an exception handler of class  $C$ :

        If previous instruction continues in sequence, failure

        Do  $tp[0] \leftarrow C$  and  $pp \leftarrow 1$

If current instruction is a target of different kinds:

30      Verification fails

    Determine types  $a_1 \dots a_n$  of arguments of instruction

    If  $pp < n$ , failure (stack overflow)

    For  $i = 1, \dots, n$ :

        If  $tp[pp+n-i-1]$  is not subtype of  $a_i$ , failure

35      Do  $pp \leftarrow pp+n$

    Determine types  $r_1, \dots, r_m$  of results of instruction

    If  $pp+m \geq T_p$ , failure (stack overflow)

    For  $i = 1, \dots, m$ , do  $tp[pp+i-1] \leftarrow r_i$

    Do  $pp \leftarrow pp+m$

40 If current instruction is a write to a register  $r$ :

Determine type  $t$  of value written to record  
Do  $tr[r] \leftarrow lower\ bound(t, tr[r])$   
If  $tr[r]$  has changed, do  $chg \leftarrow true$   
If current instruction is a branching:  
5 If  $pp \neq 0$ , verification failure  
Advance to next instruction  
Return verification success code

10

TABLE T3

```
static short[] meth(short [] table)
{
    short[] result = null;
    if (table.length >= 2) result = table;
    return table
}
```

TABLE T4

First iteration on method code:

| Method code                  | Table of register types                | Stack type                 |
|------------------------------|----------------------------------------|----------------------------|
| 0 : <code>aconst_null</code> | <code>r0: short[]   r1: _</code>       |                            |
| 1 : <code>astore 1</code>    | <code>r0: short[]   r1: _</code>       | <code>null</code>          |
| 2 : <code>aload 0</code>     | <code>r0: short[]   r1: null</code>    |                            |
| 3 : <code>arraylength</code> | <code>r0: short[]   r1: null</code>    | <code>short[]</code>       |
| 4 : <code>sconst 2</code>    | <code>r0: short[]   r1: null</code>    | <code>short</code>         |
| 5 : <code>if_scmplt 9</code> | <code>r0: short[]   r1: null</code>    | <code>short   short</code> |
| 7 : <code>aload 0</code>     | <code>r0: short[]   r1: null</code>    |                            |
| 8 : <code>astore 1</code>    | <code>r0: short[]   r1: null</code>    | <code>short[]</code>       |
| 9 : <code>aload 1</code>     | <code>r0: short[]   r1: short[]</code> |                            |
| 10 : <code>areturn</code>    | <code>r0: short[]   r1: short[]</code> | <code>short[]</code>       |

Second iteration on method code:

| Method code                  | Table of register types                | Stack type                 |
|------------------------------|----------------------------------------|----------------------------|
| 0 : <code>aconst_null</code> | <code>r0: short[]   r1: short[]</code> |                            |
| 1 : <code>astore 1</code>    | <code>r0: short[]   r1: short[]</code> | <code>null</code>          |
| 2 : <code>aload 0</code>     | <code>r0: short[]   r1: short[]</code> |                            |
| 3 : <code>arraylength</code> | <code>r0: short[]   r1: short[]</code> | <code>short[]</code>       |
| 4 : <code>sconst 2</code>    | <code>r0: short[]   r1: short[]</code> | <code>short</code>         |
| 5 : <code>if_scmplt 9</code> | <code>r0: short[]   r1: short[]</code> | <code>short   short</code> |
| 7 : <code>aload 0</code>     | <code>r0: short[]   r1: short[]</code> |                            |
| 8 : <code>astore 1</code>    | <code>r0: short[]   r1: short[]</code> | <code>short[]</code>       |
| 9 : <code>aload 1</code>     | <code>r0: short[]   r1: short[]</code> |                            |
| 10 : <code>areturn</code>    | <code>r0: short[]   r1: short[]</code> | <code>short[]</code>       |

**TABLE T5**

(a) *Violation of type constraints on arguments of an instruction:*



5

(b) *Inconsistent use of a register:*



(c) *Branchings introducing inconsistencies at stack level:*



10

(d) *Stack overflow within a loop:*



TABLE T6

(a) Initial code of method, annotated by types of registers and of stack:

|      |          |            |        |
|------|----------|------------|--------|
| 0 :  | aload 0  | r0: Object |        |
| 1 :  | ifnull 8 | r0: Object | Object |
| 4 :  | iconst 1 | r0: Object |        |
| 5 :  | goto 9   | r0: Object | int    |
| 8 :  | iconst 0 | r0: Object | int    |
| 9 :  | ineg     | r0: Object | int    |
| 10 : | istore 0 | r0: int    |        |
| 11 : | iload 0  | r0: int    |        |
| 12 : | ireturn  | r0: int    |        |

5

TABLE T7

(b) Method code after standardization of stack at branching 5 → 9:

|       |          |                      |        |
|-------|----------|----------------------|--------|
| 0 :   | aload 0  | r0: Object   r1: ⊥   |        |
| 1 :   | ifnull 8 | r0: Object   r1: ⊥   | Object |
| 4 :   | iconst 1 | r0: Object   r1: ⊥   |        |
| 4' :  | istore 1 | r0: Object   r1: ⊥   | int    |
| 5 :   | goto 8'' | r0: Object   r1: int |        |
| 8 :   | iconst 0 | r0: Object   r1: int |        |
| 8' :  | istore 1 | r0: Object   r1: ⊥   | int    |
| 8'' : | iload 1  | r0: Object   r1: int |        |
| 9 :   | ineg     | r0: Object   r1: int | int    |
| 10 :  | istore 0 | r0: int   r1: int    |        |
| 11 :  | iload 0  | r0: int   r1: int    |        |
| 12 :  | ireturn  | r0: int   r1: int    |        |

TABLE T8

(c) Method code after reallocation of registers:

|       |          |       |                          |        |
|-------|----------|-------|--------------------------|--------|
| 0 :   | aload 0  | ..... | r0: Object   r1: $\perp$ |        |
| 1 :   | ifnull 8 | ..... | r0: Object   r1: $\perp$ | Object |
| 4 :   | iconst 1 | ..... | r0: Object   r1: $\perp$ |        |
| 4' :  | istore 1 | ..... | r0: Object   r1: $\perp$ | int    |
| 5 :   | goto 8'' | ..... | r0: Object   r1: int     |        |
| 8 :   | iconst 0 | ..... | r0: Object   r1: int     |        |
| 8' :  | istore 1 | ..... | r0: Object   r1: $\perp$ | int    |
| 8'' : | iload 1  | ..... | r0: Object   r1: int     |        |
| 9 :   | ineg     | ..... | r0: Object   r1: int     | int    |
| 10 :  | istore 1 | ..... | r0: Object   r1: int     | int    |
| 11 :  | iload 1  | ..... | r0: Object   r1: int     |        |
| 12 :  | ireturn  | ..... | r0: Object   r1: int     | int    |

5 TABLE T9

(a) Branching target, previous instruction not continuing in sequence:



TABLE T10

(b) *Branching target, previous instruction continuing in sequence:*



5 TABLE T11

(c) *Unconditional branching without arguments:*



TABLE T12

10 (c) *Conditional branching with one argument:*

